DOD faces intrusion worries

Flat-panel monitors are the norm at the Global Network Operations and Security Center at the Defense Information Systems Agency's headquarters.

Defense Department security officials are concerned that the development of intrusion detection and firewall software is not keeping pace with network use within DOD.

'I'm not convinced that the technology to protect networks is growing at the same pace as the proliferation of networks,' said Army Col. Larry Huffman, commander of the Global Network Operations and Security Center at the Defense Information Systems Agency.

The situation raises a question that has troubled Marvin Langston, DOD deputy chief information officer, and other officials: If DOD buys commercial software that is readily available to enemies, how can it achieve information superiority over them?

Navy Capt. Bob West, deputy commander for the Joint Task Force on Computer Network Defense, said that a lot of people think DOD gets automated information on security incidents that makes it easy to distinguish information attacks. But that's not true, he said.

'My opinion is that the technology of today doesn't tell us what's going on,' West said.

It is the sleuths in the field, the systems administrators, who most easily can help DOD officials detect information attacks, he said.

'It's the sysadmin paying attention to his logs,' West said. 'He could be at work on a Saturday and see that someone who's on leave has an active e-mail account.' Reporting such an incident through the service's computer emergency response center would let DOD give its users an early warning of potential problems, he said.

Although Langston has said he believes DOD can achieve information superiority in part through maintaining proprietary interfaces, GNOSC and JTF-CND officials said intelligence information they gather from their sources is an important weapon.

Even with intelligence data, however, DOD officials often have difficulty finding the real source of information attacks, Huffman said.

'A fundamental problem is what appears to be a source is not the real source,' he said.

Hackers can make denial of service and other attacks appear as if they are coming from many sites, he said.

It is not unusual for a hacker to leave a trail through systems located in four or five countries to attack a DOD system, said Bobbie Stempfley, chief of the DOD computer emergency response team.

Every day, 2T of data travels across the Defense Information Systems Network.

The department also daily handles 1.5 million telephone calls and 120 videoconferences connecting officials at sites around the world.

The nature of the Internet also makes it difficult for DOD officials to detect information attacks, West said.''There's network noise and chatter,' he said. 'Computers ping at each other all the time' on the Internet.

Background noise

'There's a constant noise level. Figuring out what's irregular is the difficulty' that DOD computer security officials face, he said.

The DOD security team at DISA, working with comparable teams within the services, become aware of 80 to 100 incidents each day that look interesting, West said.

Of those, 'eight to 10 require more investigation, and a couple a week are very interesting, and we have to actively address them,' he said.

Plus, there are jurisdictional issues, West said. JTF-CND officials can only defend DOD systems, so they cannot go beyond the networks' firewalls, he said.

Closer to the front lines, Air Force Materiel Command officials are finding that 'low-level intrusions from multiple IP addresses are increasing,' said John DeLauche, a contract program manager for Operation Palisade at Wright-Patterson Air Force Base, Ohio.

DeLauche works for Science Applications International Corp. of San Diego. His contract team, along with an Air Force team, is performing network assessments on 14 of the service's bases.

To ferret out intrusions, Air Force command officials use Sniffer software from Network Associates Inc. of Santa Clara, Calif.